Anomaly Detection in Software Defined Networking

1. A method comprising performing, in a network apparatus, the steps of classifying traffic flows containing packets based on packet features; providing a copy of a packet contained in a traffic flow to a cluster node; controlling the cluster node to select at least one detector node based on the features of the packet and to forward said copy to the selected detector node to find out based on said copy whether the packet is malicious or not; and in response to receiving from the detector node a flow indication on the traffic flow, controlling a switch node to perform at least one flow control action on the traffic flow, the action including one or more of flow removal, flow modification and flow installation.

2. A method as claimed in claim 1 , wherein the method comprises dynamically defining or obtaining one or more traffic flow forwarding rules, wherein a traffic flow forwarding rule includes information for determining traffic flow type based on the features, and selecting one or more detector nodes for the traffic flow based on the features; wherein said defining or obtaining is carried out in at least one of the control node and the cluster node.

3. A method as claimed in claim 2 , wherein the traffic flow forwarding rule comprises information obtained from a switch node.

4. A method as claimed in claim 1 , wherein the method comprises determining traffic flow type based on at least one feature of the packet, such as the packet being sent from a specific IP address, the packet being sent to a specific port, the packet being sent to a specific URL, or some other packet feature.

5. A method as claimed in claim 1 , wherein the control node comprises at least one of an SDN controller and an SDN orchestrator.

6. An apparatus comprising at least one processor; and at least one memory including a computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor, to cause the apparatus to perform the method steps of claim 1 .

7. A communications system comprising at least one apparatus according to claim 6 .

8. A computer program product stored on a non-transitory distribution medium readable by a computer and comprising program instructions which, when loaded into an apparatus, execute the method according to claim 1 .

9. A method comprising performing, in a network apparatus, the steps of obtaining a copy of a packet contained in a traffic flow from a switch node; checking packet features; selecting, based on the packet features, at least one detector node among one or more detector nodes capable of checking based on said copy whether the packet is malicious or not; and forwarding said copy to the selected detector node for checking whether the packet is malicious or not.

10. An apparatus comprising: at least one processor; and at least one non-transitory memory including a computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor, to: cause the apparatus to perform the method of claim 9 .

11. A method comprising performing, in a network apparatus, the steps of classifying traffic flows containing packets based on packet features; providing a sample of a traffic flow to a cluster node; receiving, from the cluster node, information on one or more detector nodes selected in the cluster node for features of the sample; controlling a switch node to forward the traffic flow based on rules extracted from the cluster node to the selected detector node to find out whether a packet contained in said traffic flow is malicious or not; and in response to receiving, from the detector node, a flow indication on the traffic flow, controlling the switch node to perform at least one flow control action on the traffic flow, the action including one or more of flow removal, flow modification and flow installation.

12. A method as claimed in claim 11 , wherein the method comprises performing load balancing and/or latency mitigation by distributed anomaly detection in multiple detector nodes.

13. A method as claimed in claim 11 , wherein the method comprises distributing input traffic roughly evenly between multiple detector nodes.

14. An apparatus comprising: at least one processor; and at least one non-transitory memory including a computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor, to: cause the apparatus to perform the method of claim 11 .

15. A method comprising performing, in a network apparatus, the steps of obtaining a sample of a traffic flow from a switch node; checking features of the sample; based on the checking, selecting at least one detector node among one or more detector nodes capable of checking whether a packet is malicious or not; and indicating to a control node the at least one detector node selected for traffic flow anomaly detection.

16. An apparatus comprising: at least one processor; and at least one non-transitory memory including a computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor, to: cause the apparatus to perform the method of claim 15 .